Member　Inference　Attack　(MIA)　is　a　key　measure　for　evaluating　privacy　leakage　in　Machine　Learning　(ML)　models,　aiming　to　distinguish　private　members　from　non-members　by　training　the　attack　model.　In　addition　to　the　traditional　MIA,　the　recently　proposed　Generative　Adversarial　Network　(GAN)-based　MIA　can　help　the　adversary　know　the　distribution　of　the　victim＇s　private　dataset,　thereby　significantly　improving　attack　accuracy.　For　traditional　attacks　and　this　new　type　of　attack,　previous　defense　schemes　cannot　handle　the　trade-off　between　privacy　and　utility　well.　To　this　end,　we　propose　a　defense　solution　using　multi-model　ensemble　framework.　Specifically,　we　train　multiple　submodels　to　hide　membership　signals　and　resist　MIA,　achieving　reduced　privacy　leakage　while　guaranteeing　the　effectiveness　of　the　target　model.　Our　security　analysis　shows　that　our　scheme　can　provide　privacy　protection　while　preserving　model　utility.　Experimental　results　on　widely　used　datasets　show　that　our　scheme　can　effectively　resist　MIAs　with　negligible　utility　loss.　©　2008-2012　IEEE.